High-performance signal pipeline: client SDK collection, encrypted transport, proprietary identification, and analytics storage
tracio.ai uses a client-server architecture where a lightweight JavaScript SDK runs in the browser, collects hardware and software signals, encrypts the payload, and sends it to our secure cloud for processing. The server decrypts the signals, runs them through a multi-stage identification pipeline, and returns a stable visitor ID, confidence score, bot detection results, 24 smart signals, and IP intelligence in a single JSON response.
This architecture ensures that sensitive signal processing and visitor matching happen exclusively server-side in our secure cloud, where the logic cannot be inspected or tampered with by malicious visitors. The client SDK only collects raw signals and has no knowledge of visitor IDs, matching algorithms, or detection logic.
┌───────────────┐ ┌────────────────────┐│ Browser │ ── signals ─▶ │ tracio.ai Cloud ││ (JS SDK) │ │ (identification ││ │ ◀── result ── │ engine) │└───────────────┘ └────────────────────┘1. SDK collects device signals and encrypts them (AES-256-GCM)2. Server identifies the visitor using proprietary matching3. Returns: visitorId, confidence, bot detection, smart signals, IP intelThe JavaScript SDK (128KB gzipped) runs in the browser and collects over 1,000 individual signals in under 50ms. Signals are organized into categories that capture different aspects of the device and browser environment. The collection process is designed to be imperceptible to the user -- it does not cause visible page jank, does not trigger consent dialogs, and does not access any personally identifiable information.
| Category | What It Captures | Why It Matters |
|---|---|---|
| Canvas | Draws text and shapes on a hidden canvas and hashes the rendered pixels | GPU and rendering engine differences produce unique outputs across devices |
| WebGL | Queries GPU renderer, vendor, extensions, shader precision, texture limits | GPU model is a strong hardware identifier that persists across browsers |
| Audio | Processes an oscillator tone through an offline AudioContext and hashes the output | Audio processing characteristics vary by OS audio stack and hardware |
| Fonts | Measures rendering width of test strings to detect installed system fonts | Font inventory is OS and locale-specific, providing medium-high uniqueness |
| Screen | Resolution, color depth, pixel ratio, available area, taskbar position | Screen configuration is relatively stable and hardware-bound |
| Navigator | Platform, languages, hardware concurrency, device memory, touch support | Reflects hardware capabilities and user preferences |
| CSS/Media | Media query results, CSS feature support, color scheme preferences | Browser engine and version fingerprint via supported features |
| Math | Precision of math functions (sin, cos, tan, log) across browser engines | Engine-specific floating point behavior distinguishes Chrome from Firefox from Safari |
| Client Hints | UA-CH brands, platform version, architecture, bitness | Modern replacement for User-Agent with structured data |
| Storage | Cookie, localStorage, sessionStorage, IndexedDB, FileSystem availability | Privacy settings and browser configuration indicators |
Most signals are collected synchronously in under 5ms. A few high-value signals require asynchronous operations: canvas rendering (5-15ms), audio processing (3-10ms), font enumeration (10-30ms), and WebGL probing (5-15ms). The total collection time is typically 30-80ms on modern hardware. The SDK uses requestAnimationFrame scheduling to avoid blocking the main thread.
After collection, the signal payload is encrypted using AES-256-GCM with a session key derived from your API key. The encryption serves two purposes: it prevents man-in-the-middle observers from learning what signals are collected, and it prevents clients from tampering with the signal values before they reach the server.
The encrypted payload is sent as a POST request to the tracio.ai API endpoint. The payload size is typically 2-5KB compressed. The SDK handles retries with exponential backoff for transient network failures, and the request times out after the configured timeout (default 10 seconds).
The server receives the encrypted payload, decrypts it, and runs the signals through a multi-stage processing pipeline. Each stage adds context and enrichment to the raw signals before producing the final identification result.
Encrypted Payload | v+-----------------+| 1. Decrypt | AES-256-GCM decryption, payload validation+--------+--------+ | v+-----------------+| 2. Parse | Extract 1,000+ individual signals from the payload| Signals | Validate types, ranges, and consistency+--------+--------+ | v+-----------------+| 3. Signal | Group signals into hardware, browser, session tiers| Processing | Compute proprietary hash per tier+--------+--------+ | v+-----------------+| 4. Candidate | Search for visitors with matching hardware hash| Lookup | Narrows billions of possibilities to dozens of candidates+--------+--------+ | v+-----------------+| 5. AI | Compare each candidate against full signal set| Matching | Weighted scoring with drift tolerance+--------+--------+ | v+-----------------+| 6. Confidence | Compute confidence score (0.0 - 1.0)| Scoring | Threshold check for match vs. new visitor+--------+--------+ | v+-----------------+| 7. Smart | Run 24 server-side detectors in parallel:| Signals | Bot, VPN, proxy, Tor, tampering, incognito, VM, etc.+--------+--------+ | v+-----------------+| 8. IP Intel | GeoIP lookup, VPN ASN check, blocklist, reputation+--------+--------+ | v JSON ResponseSignals are separated into three tiers based on stability. Hardware-tier signals (canvas, WebGL, audio, screen) change only when the physical device changes. Browser-tier signals (fonts, User-Agent, math precision) change with browser updates. Session-tier signals (timezone, color scheme, connection type) change frequently with user behavior. Each tier is processed independently using proprietary algorithms, producing a composite fingerprint used for visitor lookup and matching.
| Tier | Stability | Weight | Examples |
|---|---|---|---|
| Hardware | Very High | 60% | Canvas, WebGL renderer/vendor, audio hash, screen resolution, color depth |
| Browser | Medium | 30% | Fonts, User-Agent, platform, math precision, CSS features |
| Session | Low | 10% | Timezone, color scheme, cookie support, connection type |
Real-world browsers change over time. Fonts get installed, browser versions update, users switch between light and dark mode. The AI-powered matching engine handles these expected changes by comparing signals individually rather than relying on a single monolithic approach. Each signal comparison produces a match score between 0.0 and 1.0, weighted by the signal's uniqueness and stability. The weighted sum produces the final confidence score.
After identification, the server runs 24 smart signal detectors in parallel. These detectors analyze the browser signals, IP address, and behavioral history to produce enrichment data including bot detection, VPN/proxy detection, tampering analysis, incognito mode detection, virtual machine detection, and an aggregated suspect score.
The API returns a comprehensive JSON response containing the visitor ID, confidence score, bot detection results, all smart signals, and IP intelligence. The entire server-side processing pipeline completes in under 50ms, including database queries and GeoIP lookups.
{ "visitorId": "X7fh2Hg9LkMn3pQr", "confidence": { "score": 0.995, "revision": "v3.0" }, "requestId": "1710432000_abc123def", "bot": { "result": "notDetected", "probability": 0.0 }, "ipLocation": { "city": { "name": "Prague" }, "country": { "code": "CZ", "name": "Czechia" }, "latitude": 50.05, "longitude": 14.4, "timezone": "Europe/Prague" }, "incognito": false, "tampering": { "result": false, "anomalyScore": 0.12 }, "vpn": { "result": false, "confidence": "high" }, "suspectScore": { "result": 3 }, "velocity": { "distinctIp": { "intervals": { "5m": 1, "1h": 1, "24h": 2 } }, "events": { "intervals": { "5m": 1, "1h": 3, "24h": 12 } } }}| Metric | Value |
|---|---|
| SDK size | 128KB gzipped |
| Signal collection | 30-80ms |
| Server processing | < 50ms (P95 < 30ms) |
| Total end-to-end | 50-200ms |